SSO Quickstart Guide
1 General Introduction
1.0.1 Welcome!
Whether you are a human-centered design professional or a stakeholder in promoting design thinking at your organization, LUMA is here to help guide you through the process of enabling single sign-on.
1.0.2 What is single sign-on?
Single sign-on, also known as SSO, is a corporate mechanism for managing employee access to company resources including email and cloud applications. Rather than having a different username and password for every application, users are able to login to different resources using the same corporate identity. In addition, user access can be managed in a central location. Enabling single sign-on can help streamline the adoption of LUMA Workplace Enterprise Access because:
- Users only need their corporate credentials to get started.
- Organizational IT teams manage access and security controls.
- User provisioning happens automatically
- There is no need to apply or manage licenses.
Single sign-on is the best and most secure way to open up LUMA Workplace Enterprise Access to team members interested in human centered-design. Existing users with login credentials will retain access to account data after the integration is enabled.
1.0.3 How is single sign-on enabled?
Single sign-on is a technical integration that requires collaboration between the technical team at LUMA Institute and your organization. Since every organization has a different implementation of single sign-on, it is important that the LUMA team understands your capabilities and organizational requirements for enabling single sign-on. Below is a sample roadmap to give you a better understanding of the steps involved.
| Step | Description | Deliverable |
|---|---|---|
| 1 | Identify the technical team members who manage single sign-on | Introduce LUMA to your technical leads via email |
| 2 | LUMA will connect with technical leads to discuss specifics of the integration | Understand requirements and capabilities of integration |
| 3 | Technical team will configure staging and production integrations according to LUMA’s specifications | Approval and implementation of organizational configurations |
| 4 | LUMA will verify staging integration with technical team | Validate that SSO is working properly in staging |
| 5 | LUMA will schedule a date with your technical team to enable it in production | Validate that SSO is working properly in production |
The best way to ensure a quick integration is to limit the size of the audience and identify the correct technical members who have the access and knowledge to debug and deploy single sign-on integrations.
2 Technical Specifications
2.0.1 Supported single sign-on features
LUMA Workplace Enterprise Access supports most SSO providers compliant with SAML 2.0 standards. This includes Azure, GSuite and Ping Federation. Features include:
- Service provider (SP) initiated login via customized LUMA domain
- Identity Provider (IDP) initiated logins
- Automated provisioning for federated users
- Assertion signing (requires special request)
- Simple metadata exchange for enabling integration
LUMA Workplace Enterprise Access does not currently support the following features:
- Assertion encryption
- IP Whitelisting
- Static IP addresses
- User management API
- Duplicated assertion attributes
- Organizational or administrative roles
The following SAML attributes must be sent by IDP to LUMA Workplace Enterprise Access (case sensitive):
- uid (values mail/employeeID/eduPersonTargetedID/eduPersonPrincipalName)
- firstName
- lastName
- emailAddress
User profiles will be provisioned automatically using these attributes on first authenticated session. The uid attribute should represent an internal identifier that will not change during employment. Please verify SSO configurations properly send these attributes.
2.0.2 Staging configuration
If your organization’s staging identifier is “example”, the staging domain for testing the SSO integration will be located at:
https://example.ifp.fail
After creating a staging SSO configuration, please configure the following settings:
- Entity ID: https://example.ifp.fail/saml/metadata
- ACS: https://example.ifp.fail/saml/acs
- Start URL: https://example.ifp.fail/saml/sso
The following SAML attributes are required (case sensitive):
- uid (values mail/employeeID/eduPersonTargetedID/eduPersonPrincipalName)
- firstName
- lastName
- emailAddress
After the integration has been saved, please download your staging metadata in plaintext format and share with the LUMA team. Please include screenshots of your attribute configuration.
LUMA Workplace Enterprise Access staging metadata can be downloaded by visiting:
https://example.ifp.fail/saml/metadata
2.0.3 Production configuration
If your organization’s production identifier is “example”, the production domain end-users will use for LUMA Workplace Enterprise Access will be located at:
https://example.lumaworkplace.com
After creating a production SSO configuration, please configure the following settings:
- Entity ID: https://example.lumaworkplace.com/saml/metadata
- ACS: https://example.lumaworkplace.com/saml/acs
- Start URL: https://example.lumaworkplace.com/saml/sso
The following SAML attributes are required (case sensitive):
- uid (values mail/employeeID/eduPersonTargetedID/eduPersonPrincipalName)
- firstName
- lastName
- emailAddress
After the integration has been saved, please download your production metadata in plaintext format and share with the LUMA team. Please include screenshots of your attribute configuration.
LUMA Workplace Enterprise Access metadata can be downloaded by visiting:
https://example.lumaworkplace.com/saml/metadata
3 Access Considerations
3.0.1 Supported Browsers
LUMA Workplace Enterprise Access supports most popular browsers within two versions:
- Firefox
- Chrome (Desktop and Mobile)
- Safari (Desktop and Mobile)
- IE 11+
3.0.2 External Resources
If a corporate internet proxy is in place at your organization, make sure the following domains are whitelisted so end users can access all the content being made available:
| Domain | Description | Required |
|---|---|---|
| https://lumaworkplace.com | Production Domain | Yes |
| https://ifp.fail | Staging Domain (for testing only) | Yes |
| https://launchdarkly.com | Feature Flagging | Yes |
| https://sproutvideo.com | Streaming Video Content | Yes |
3.0.3 Migrating existing users to single sign-on
Organizational users with pre-existing LUMA Workplace accounts can be migrated easily to SSO, provided that the unique identifier is not different from the IDP. In situations where the unique identifier does not match existing accounts, LUMA can migrate these users using a master list from the organization. LUMA will work with your organization to develop a rollout plan to address the change in the login process.